f the external interface of the
> firewall rather then the carp interface that the pf NAT rules are using for
> other traffic.
>
> For example if the following IP scheme is used/pf rules are
> in place:
> ext_if="1.1.1.1"
> carp_if="1.1.1.2"
> int_if=&q
In an attempt to use relayd as an outbound http "proxy", which is just needed
to do URL filtering rather then content caching, I'm finding that the outbound
connections are being sourced from the IP of the external interface of the
firewall rather then the carp interface that the p
On 2011-06-20, Marko Viitanen wrote:
> Hi,
>
> I'm running an OpenBSD 4.8 firewall cluster doing ipsec and packet
> filtering. Due to customer requirements I've used IPSec outgoing network
> address translation and it does exactly what I want it to do. However
> I've come to a situation where w
Hi,
I'm running an OpenBSD 4.8 firewall cluster doing ipsec and packet
filtering. Due to customer requirements I've used IPSec outgoing network
address translation and it does exactly what I want it to do. However
I've come to a situation where we need access to customer's network from
two in
lto:owner-m...@openbsd.org] Em nome de Ricardo
Augusto de Souza
Enviada em: quarta-feira, 25 de margo de 2009 12:18
Para: misc@openbsd.org
Assunto: Help PF/NAT rules
Hi,
I have this enviroment:
Server A ( OpenBSD 4.4 ), with poptop and PF and windows clients
connecting via pptp client.
Probl
Hi,
I have this enviroment:
Server A ( OpenBSD 4.4 ), with poptop and PF and windows clients
connecting via pptp client.
Problem: vpn clients cannot access network 10.10.0.0/24 but they are
able to access 10.100.0.0/24.
The rules are the same, just this is different:
# route show
Rou
Chris Smith wrote:
> On Wednesday 16 July 2008, Marco Fretz wrote:
>> pf nat rule:
>> nat log on bge0 inet from 172.16.12.128/27 tag natted -> 88.82.xx.xx
>>
>> pf filter rule:
>> pass log quick all flags S/SA keep state tagged natted
>
> FWIW, you no longer need to specify "flags S/SA keep state"
On Wednesday 16 July 2008, Chris Smith wrote:
> > pass log quick all flags S/SA keep state tagged natted
Just to clarify my thinking - the packet has to be passed in before it
can be natted which applies, in your case, the natted tag, changing the
above to a pass out rule and then add a pass in
On Wednesday 16 July 2008, Marco Fretz wrote:
> pf nat rule:
> nat log on bge0 inet from 172.16.12.128/27 tag natted -> 88.82.xx.xx
>
> pf filter rule:
> pass log quick all flags S/SA keep state tagged natted
FWIW, you no longer need to specify "flags S/SA keep state" as it is the
default.
It do
Hello
Iv've the following problem in PF with NAT / Filtering, OpenBSD 4.4
(-current):
pf nat rule:
nat log on bge0 inet from 172.16.12.128/27 tag natted -> 88.82.xx.xx
pf filter rule:
pass log quick all flags S/SA keep state tagged natted
the packed is dropped by my default deny rule (the rule
On Thu, May 22, 2008 at 06:18:21PM +0100, Joe Warren-Meeks wrote:
Hey there,
> We have two seperate datacentres, one using 172.16.1.0/24 and the other
> using 172.16.2.0/24. In front of both are NAT'ing OpenBSD firewalls,
> using something like:
>
> nat on $ext_if from -> ($ext_if:0)
Ignore m
Hello there,
We have two seperate datacentres, one using 172.16.1.0/24 and the other
using 172.16.2.0/24. In front of both are NAT'ing OpenBSD firewalls,
using something like:
nat on $ext_if from -> ($ext_if:0)
(Where prv_net contains the netblock of that datacentre).
Now, I would like that NA
yes, that should be possible. if it does not work, then it's a bug.
On Mon, Sep 24, 2007 at 03:08:29PM +0200, Markus Wernig wrote:
> Hi all
>
> Can tags from ipsec (defined in ipsec.conf) be referenced in pf nat
> rules (OBSD 4.1)?
>
> The idea is:
> ipsec.conf:
Hi all
Can tags from ipsec (defined in ipsec.conf) be referenced in pf nat
rules (OBSD 4.1)?
The idea is:
ipsec.conf:
ike esp from A to B tag "mytag"
pf.conf:
nat on $int_if tagged "mytag" -> ($int_if:1)
nat on $int_if from !($int_if) -> ($int_if:0)
If I use
Julien TOUCHE wrote on 20/08/2005 17:41:
lan & internet setup is working ok for years, dmz is used recently.
problem is when i'm on the dmz (static or dhcp ip, wire or wireless),
http browsing is damn slow.
ok, found it
# ifconfig sis2
sis2: flags=8843 mtu 1500
address: 00:00:aa:bb:cc
g is damn slow.
first, is the following nat rules is possible ? (nat on multiple
networks from different interface; problem ?)
nat on $ExtIF inet from $IntIF:network to any -> ($ExtIF)
nat pass on $ExtIF inet from $DmzIF:network to any -> ($ExtIF)
#nat on $ExtIF inet proto tcp from $DmzIF
16 matches
Mail list logo
